A logical tree structure and method for managing membership in a multicast group provides scalability and security from internal attacks. The structure defines key groups and subgroups, with each subgroup having a subgroup manager. Dual encryption allows the sender of the multicast data to manage distribution of a first set of encryption keys whereas the individual subgroup managers manage the distribution of a second set of encryption keys. The two key sets allow the sender to delegate much of the group management responsibilities without compromising security because a key from each set is required to access the multicast data. Security is further maintained via a method in which subgroup managers can be either member subgroup managers or participant subgroup managers. Access to both keys is provided to member subgroup managers whereas access to only one key is provided to participant subgroup managers. Nodes can be added without the need to generate a new encryption key at the top level which provides improved scalability.